New Release: Tor Browser 10.0.4

by sysrqb | November 10, 2020

Tor Browser 10.0.4 is now available from the Tor Browser download page and also from our distribution directory.

This release updates NoScript to 11.1.5 and includes an important security update to Firefox.

The full changelog since Tor Browser 10.0.2 (Desktop) is:

  • Windows + OS X + Linux
    • Update NoScript to 11.1.5
    • Bug 40021: Keep page shown after Tor Browser update purple
    • Bug 40022: EOY November Update - Matching
    • Bug 40219: Backport Mozilla Bug 1675905
    • Translations update
  • Build System
    • Windows + OS X + Linux
      • Update Go to 1.14.11
      • Bug 40141: Include "desktop" in signed tag

The full changelog since Tor Browser 10.0.3 (Android) is:

  • Android
    • Update NoScript to 11.1.5
    • Bug 40022: EOY November Update - Matching
    • Bug 40106: EOY November Update - Matching
    • Bug 40219: Backport Mozilla Bug 1675905
    • Translations update
  • Build System
    • Android
      • Update Go to 1.14.11
      • Bug 40141: Include "android" in signed tag

Comments

Please note that the comment area below has been archived.

Here are some ways to do that kind of things, some requiremore effort than others
* Use Dark Reader https://addons.mozilla.org/en-US/firefox/addon/darkreader
* Use Dark Background and Light Text https://addons.mozilla.org/en-US/firefox/addon/dark-background-light-te…
* Use a Dark theme. Menu > Customise > Theme button on bottom > Dark
* Change Browser/.config/gtk-3.0/settings.ini
* > Add "gtk-application-prefer-dark-theme=true"
* > or add "gtk-theme-name=MYDARKTHEMENAME"

November 10, 2020

Permalink

Hopefully this update will see a few issues removed from the very buggy and sketchy Android version. In relation to the tickets you have raised for said app, please DO NOT keep the permissions for camera, audio or fingerprint/biometric data. These permissions are undeed and adds huge attack vectors to an unstable app. If people need to take photos they can use the default camera app and clean the image in ObscuraCam, if people need to be audio recorded over the internet then they don't need Tor in the first place. The fingerprint/bio info also just adds another needless point of possible failure. Please completely remove the Google password saver, many people go through time and effort of custom ROM use in order to avoid Google, the last thing they need is for Google to pop up at one of the last points of contact. It was also said that the new app must be used for up to date protection, but isn't it majorly vunerable until the needless permissions get removed? Couldn't a malicious onion site try to access GPS and camera use? Could a malicious node take advantage of this in any way?
The lack of trust (and thus users) would lead me to also believe that these newer versions are more fingerprintable as the crowd of users is smaller, timed correlation attacks are probably going to be pretty easy for a while, or am I wrong?

What is you concern with the browser having access to the camera, audio, and biometrics? Do you think a website can gain access to these devices without receiving explicit permission from you?

On recent versions of Android, these permissions are not allowed by default. You will be prompted before the browser may use these features/devices and you can revoke permission at any time in Android's App settings.

November 10, 2020

In reply to sysrqb

Permalink

Sysrqb what is wrong with you. The OP makes highly valid points about reducing various attack vectors, the very point of privacy and security hardening, and you brazenly ask him what his concern is?

Would you leave the front door to your home open at night? Leave a suitcase of cash open on the car seat? Take a leisurely walk in the ghetto at 3am? Have you lost your mind? Why intentionally dangle dangerous, risky settings that serve no viable purpose in a privacy browser?

"Your attitude is laudable Doctor, but your reasoning is reckless." --Spock

November 11, 2020

In reply to sysrqb

Permalink

Yes, I'm sure it is more than possible for a malicious website to bypass the permission requests and gain ungranted access, previous versions didn't have these permissions and all those versions happen to work a hell of a lot better than the last two broken jumbles you've put out (half a year for THIS, really?) It will take another half year just to make it useable.
You also ignored my question about attackers having access to the GPS info (that you've apparently switched off but also made sure the end user can't check for themselves, apparently reading about:config is more of a risk than just hoping a glitchy new release happens to do as asked) You didn't respond about the lack of users making it more fingerprintable either, which leads me to believe that it is indeed more fingerprintable. Read the playstore reviews, most people install the update, realise its crap and then downgrade back to the working 68.10.1 version within 5 minute. You've really messed up with the mobile app, Guardian Project had more of an idea what to do. Either fix this mess or let us have Orfox back. Protect your users.

I did not ignore your question about attackers having access to the GPS info. On Android 6 and newer, you have control over which permissions are granted, and those permissions (including GPS) are not allowed by default.

https://support.google.com/googleplay/answer/6270602?hl=en

In addition, we will delete some of the requested permissions:
https://gitlab.torproject.org/tpo/applications/fenix/-/issues/40109

Access to about:config does not provide you with the transparency you believe it does. If you believe the preference values, then you must audit the code and confirm those preferences are used as expected, too. Exposing about:config only allows people to modify the browser such that they become more unique and fingerprintable.

We don't have any evidence that the biometrics make a user or their device more fingerprintable. If we did, then that functionality would be disabled. This is how Tor Browser is designed and it is how development works. Features in Firefox are kept in Tor Browser only when we're confident they do not leak or reveal unnecessary additional identifying information. Sometimes we miss a new leak, and we appreciate reports from anyone when they discover such an oversight.

I'm sorry you do not like the new app and the new interface, but this is the foundation we have for building a privacy-focused web browser that won't bypass a proxy and provides fingerprinting resistance. Using version 68.10.1 (or any 68 version) exposes you to the growing list of known vulnerabilities, and security is essential for privacy. Please keep this in mind.

Please report bugs and crashes so we can fix them.

Most of this is down to Mozilla basically, the Tor project has limited resources. In my opinion mobiles just aren't secure enough for a privacy based browser, as these things are 'built-in'. No idea why Tor project think they need bio-metrics or such feature support in the app though, seems such functions would only be a hazard.

November 10, 2020

Permalink

I need access to about:config. I need to configure it to use Orbot which connects over SOCKS to my censorship evasion tool. I can't do direct connections, the GFW doesn't like it. And bridges only work some of the time.

November 11, 2020

In reply to sysrqb

Permalink

Does Orbot provide support for a different type of bridge?

Yes, it allows access to different types of bridge, obsf4, meek-azure and Amazon.

What is missing in the Tor Browser app?

True anonymity and everything else that made Tor

November 10, 2020

Permalink

And happiness spread throughout the land. All were content and snug in their beds.

November 10, 2020

Permalink

Why TBB(firefox) connects to
firefox.settings.services.mozilla.com ?
content-signature-2.cdn.mozilla.net is for revocation, right?

But, when wanted, how to stop this? Or is this forced?

November 10, 2020

Permalink

Hi,

Some features missing in android from the 9x series.

The UI added less convenience in the android clients in this version compared to v9x series, viz.

1. The print button as 'Save as PDF' is gone.
2. The `share` and other convenient icons in top of menu bar is gone.
3. Opening a new tab is a hassle in this version (`New Private Tab` is gone)
4. Dark theme is rigid without any customization possibility.
5. Extremely slow rendering compared to v9

6. The only upside is it is rarely crashing!

Cheers and stay sate

November 11, 2020

Permalink

OSX issue?
Tor is dumping hundreds of megabytes into my TorBrowser-Data folder and also my Tor browser swelled to 643mb!

What is happening? what can I delete and should not delete?

Thank you.

November 11, 2020

Permalink

Tor Browser (or perhaps tor actually) needs to be closed and completely restarted after laptop waked up from sleep.

I think that this is not new issue.

From where from Tor Browser it is possible to restart tor? New Identity restarts Tor Browser, but not tor apparently.

Is there something on Tor Browser GUI what causes tor to reopen connection to guard?

Correct, this is not a new issue, and restarting the tor process is not easy. Usually the connectivity issue resolves itself after a few minutes due to tor's retry logic and some background connections. One hacky solution some people use is toggling the bridges configuration, but that is difficult based on your next comment.

November 11, 2020

Permalink

Also Clickking "Tor" on about:preferences seems not do anything.

Address bar changes to about:preferences#tor but that is only visible change.

For exmaple when first is clicked General there is about:preferences#general
and then click Tor gives about:preferences#tor but that does not change what is displayed.

Same occur when fist is clicked Home and address bar is about:preferences#home
then is clicked Tor then address bar is changed to about:preferences#tor but guestion displayed is still about home.

November 13, 2020

Permalink

People, please stop bitching at the Tor Browser developers about the UI and permissions and stuff. That's all Mozilla. The Tor Browser developers have worked very hard to bring you the only browser in the world that offers any real degree of anonymity, given only Firefox to work with. If you're thinking about bitching, I suggest you download the equivalent version of Firefox for Android (Fennix) first, and then go bitch at Mozilla for everything you feel is wrong with it. Then we'll talk about Tor Browser.

November 13, 2020

Permalink

It would be good with a comments list like this for users to make quick comments on issues and bugs for the present releases without having to register and sign up for GitLab, creating tickets etc. (which average users wont) when a quick comment could do.

Then I could have dropped them a quick note saying the "[WARN] Pluggable Transport process terminated with status code 0" -bug is still occasionally happening in present release on win10, but that TOR still operates (so the bug goes unnoticed and might/might not be of importance). It seems they need statistics from average users about this.

But since such comments are not encouraged in this discussion I will of course not comment it here - But moderators here may slip a note about this to David Goulet, Roger Dingledine, et al. (and tell GitLab folks to perhaps make a comments list like this one if they wish more statistics from average users).

November 13, 2020

Permalink

"includes an important security update to Firefox."
How did you do that without updating to 78.4.1esr ?

November 15, 2020

Permalink

Hi, I am using this tor browser. But websites don't show tamil fonts, instead it shows squares with question marks inside. while searching Firefox articles they suggest to change about: config settings. But I am not sure that it is safe to do that.